IETF Logo Mail Archive

[OAUTH-WG] Review of draft-rosenberg-oauth-aauth-00

"Lombardo, Jeff" <jeffsec@amazon.com> Tue, 22 July 2025 16:59 UTC

Return-Path: <prvs=2911070ca=jeffsec@amazon.com>
X-Original-To: oauth@mail2.ietf.org
Delivered-To: oauth@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 0932348B1FD0; Tue, 22 Jul 2025 09:59:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.792
X-Spam-Level:
X-Spam-Status: No, score=-2.792 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H5=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, UNPARSEABLE_RELAY=0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=amazon.com header.b="RXwxtXxo"; dkim=pass (1024-bit key) header.d=amazon.onmicrosoft.com header.b="r6NkSqnf"
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xF6FUlBgXubn; Tue, 22 Jul 2025 09:59:36 -0700 (PDT)
Received: from smtp-fw-80009.amazon.com (smtp-fw-80009.amazon.com [99.78.197.220]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id D671448B1DCD; Tue, 22 Jul 2025 09:58:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amazon.com; i=@amazon.com; q=dns/txt; s=amazoncorp2; t=1753203494; x=1784739494; h=from:to:cc:subject:date:message-id:mime-version; bh=Pp7+IV1hRk5eSLDzapj/+UTgRQ60311YbkipZm8L6ow=; b=RXwxtXxoQxWWxNfQXVfWZ3Y7VHe5LKY0WIVR7AhoWiD17jdClYGHA97/ 2vCJr5Sf7dKb93iHiloTHBsbYR3ixdirOtK2vSf2Z50XuC6j3dI8TxdKI aOF1boQNcpiY5MJ/08KCR3bYFEI8SlHUwuVhHcIQ8Ym7U9pXDPJWLmIao eHKOai9PKkGkqLN7iZx1quChej0gJAZTBUDerP62KGHsBF1RMcxaBTYsZ 1BfzfUR2IWZB+wNAjMousGivcklhjMyDgFaiz+IPwPn5cRDIyJ2j/Oj99 RXH1sNjtj6Co5mvNawRQ9FFkyYyuf3A8xqWi9emmW86GJIBDaTweBasJ5 w==;
X-IronPort-AV: E=Sophos;i="6.16,332,1744070400"; d="scan'208,217";a="220686874"
Received: from pdx4-co-svc-p1-lb2-vlan2.amazon.com (HELO smtpout.prod.us-east-1.prod.farcaster.email.amazon.dev) ([10.25.36.210]) by smtp-border-fw-80009.pdx80.corp.amazon.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 22 Jul 2025 16:58:12 +0000
Received: from EX19MTAUEA001.ant.amazon.com [10.0.44.209:57901] by smtpin.naws.us-east-1.prod.farcaster.email.amazon.dev [10.0.23.49:2525] with esmtp (Farcaster) id 1675020d-23c6-4496-8245-a1953bf5cbae; Tue, 22 Jul 2025 16:58:12 +0000 (UTC)
X-Farcaster-Flow-ID: 1675020d-23c6-4496-8245-a1953bf5cbae
Received: from EX19EXOUEB002.ant.amazon.com (10.252.135.74) by EX19MTAUEA001.ant.amazon.com (10.252.134.203) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA) id 15.2.1544.14; Tue, 22 Jul 2025 16:58:10 +0000
Received: from NAM11-CO1-obe.outbound.protection.outlook.com (10.252.135.42) by EX19EXOUEB002.ant.amazon.com (10.252.135.74) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA) id 15.2.1544.14 via Frontend Transport; Tue, 22 Jul 2025 16:58:10 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=sy9OJPm4mpwr+occUenbAB1h6QlNx2QczHF7UcXJGGGb2XBnfiIDZctDOWe/hpMB3wHuwjUgTcf8Dt0I2VM0lNBDFsZWOibyVxU5aSdsdqD8xUEfePDU/RyP0E050CrQ8t+yxwrGZBR1B9ah6b9mrZ0aCjj2zLBFGPSY9b+zCCHcEi2lYpnuK0gO2leRyNhGQgqGEs8RArOdTH++fRWUtbyTiv8npCG/daN0xxylvVGmwfr+Rybg6CRawWkh1dKV+ubvh9Na9dUvuVlZKAHXZqJs95PDLgQKr3ozMekSqhffO3M9ohKA9yBvDLR3fHv615MwwSDr/3sJLKLgK/KWkA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=Pp7+IV1hRk5eSLDzapj/+UTgRQ60311YbkipZm8L6ow=; b=DF0zME0K8DJvtc3ZsNK+BdFtLBPB3rljf/MDHtMgAto/kPP7RbC8UbTqPDalB+0nWE1fk7uCMoZKPDVz6EgXMM8nFMfDNlsnpPpnrngNDkCPidzgZqvpGnRSQL1JR/wDefLCu+dTbydvRlAUly//k4uXrpKIR9MYB6ZaFLWvSjTR4j33k0hpSTAnBxqARyiXd0Ml2gzhWElfbwdQ34CAC0MM1QKqrmLDxCTtuy9aX6+nSzFaOwsC9oELT+FUeXdD66dHQgAIU+oXV9G0/KyXIEEvv9AlFdhHwAzIwMxYcSgQtqWTurM4j4vVxru/ArQoiLM3GwJ/kTfG+/yDbN5d7Q==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=amazon.com; dmarc=pass action=none header.from=amazon.com; dkim=pass header.d=amazon.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amazon.onmicrosoft.com; s=selector2-amazon-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Pp7+IV1hRk5eSLDzapj/+UTgRQ60311YbkipZm8L6ow=; b=r6NkSqnfpER3YBC0XVN1Qv74zj7WmwPPpBx2w0z2w3JSuHbtr2BCyH6JxTspX1Bsf5s1AnY1HYiYe5HsqMqu2ioXyAwS1iHcWCNM1WnQ/Jcs4B7u+K5gfzJu7xYIfBpuMc4ArlDAOvV4qWbmcFbuD4xrZFI2pcAQ8cRQei5wSO8=
Received: from CO1PR18MB4684.namprd18.prod.outlook.com (2603:10b6:303:e7::5) by IA1PR18MB5472.namprd18.prod.outlook.com (2603:10b6:208:44d::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8943.30; Tue, 22 Jul 2025 16:58:05 +0000
Received: from CO1PR18MB4684.namprd18.prod.outlook.com ([fe80::6892:d56d:e84a:b165]) by CO1PR18MB4684.namprd18.prod.outlook.com ([fe80::6892:d56d:e84a:b165%3]) with mapi id 15.20.8964.019; Tue, 22 Jul 2025 16:58:05 +0000
From: "Lombardo, Jeff" <jeffsec@amazon.com>
To: "agent2agent@ietf.org" <agent2agent@ietf.org>
Thread-Topic: Review of draft-rosenberg-oauth-aauth-00
Thread-Index: Adv7JWCWyQtWAI0hQLuM2nOv19qoPg==
Date: Tue, 22 Jul 2025 16:58:05 +0000
Message-ID: <CO1PR18MB46844001C4CA2621182321BCD95CA@CO1PR18MB4684.namprd18.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=amazon.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: CO1PR18MB4684:EE_|IA1PR18MB5472:EE_
x-ms-office365-filtering-correlation-id: b4cabf95-178f-4156-3e3c-08ddc940ed3c
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;ARA:13230040|1800799024|376014|366016|8096899003|13003099007|38070700018;
x-microsoft-antispam-message-info: /gl2c5CJVTBuU1vXRUF7frWxoaq8GRDqOZpF+lGqvPvG/wEKQkuzgQKnWutUzqUYTRWys96JNjZ14dYsTqdiY44qNTQebEmvEakG0K6ZJejgRvJ4ncaVVFyHBKjkXiafhuwRDAfP7PS68txirAHULmcvJc56Z5ZsL7kt0Z+rocrGVQhrgRolX7OtiYsj/j5moLyY8s1KpJ8iMYwa5H+29GeqcflEpRZmNYcC3kf/1SQLocXeG/5scJN+YJZ+2atjAwu6fYib3LOqnKhCd75clvT1cyPiVduO5WCRGJlxsi2YH2QqZFilBasjvX/yfwcMxCaGsxp5t4p5Q0eWxR3g9YbAKXF1gIZASuPOlEDAW03ms/mV7++wea5jzp1s+TCre9DY7I3vQUrfZsjYdZ8nm3i7syfz4mPV6bA+k1+NbWWBnl3JBeYWalQVKUGrZRZpPLW4wCByT/foaDCGQjYNFz3igITZQ818b6LMh2YoZcV0dej00UJHWg/rJTziQgpqxZBscJ9wc8BDZFKxtedQkTUkBMOZMN679kroNQRh6DmjhVftoMNdIczyUyaenj8Gd+Or+9UisKSIdhSduVJeyJZuwjPEcF9S/5ixlK6/i9RfW9rpCKTQ2mfMB8eSoHF9CZnwzYn+QMYx9XvhWEGhiQVJIE6ENQE3cRPuSASbduAAf+9nWN7GrcxFF5aeCZh3A25QctKXmlP/JPD+bQIRUhZ4E8APj3OHc9dIpKCxD13f1zFqZoGSpoh5F6wI9qq8U5gcgzb0JZRaMdcNa/MYJqEm6/Mroug7QqDR8Uy29F+aOZgm3FUOAn8/W+QLuVD0E/7UOMEldAqsuQrTe+l3a87YIFSPQ7UyHRmH5FCedqJM4/VP77B2+X1XaD0+xnorG+r8SiWbwxkXJNbypJOyZqsIoeXfjwOXjYuLHh1CbWzBRVtwuwBwe/TNIxEAgLXRl949EqdM3U58ESt4p9FEJKDV6wRSUpBkwanrdwpYrFuSvZISHmjlIEwv3L+A56XqMsYkEsWSoWWxzPI42oHpVmFjRuFSHvDDKZ39rfTi9VFe3pKVyYGU8vTMcRYQIIq+ICbt4xEt7lzfaUee8TPDpcEaZdcESUiF+Su5oXZRaTMQ0vEgcjZ95MltipKztziBjU+NBTkEc2MR51SCiOsrrVbD4aH1y4ihmWVMIUFvd2RHukfvbk4/ftyAnR9bDIvaNQZJGCPB8AoKisOmW1PdzIh5/9tplOyjIgZ2fcFiM6yLjn5ZmVBS1VqZnbu7k/ZTZpW2PfQNauqxdxpxdhY0YkzCd+Rr82RgyfFNNOKi5rqkSdyXMHwNXFWwFZwdAwGejmiQh3Un28rKB4y623tQRHB2zTFG23satIIQx4aVkyLkvOZdpmWbxnnx9r4Hpii8H628vgLqC+7Ja/8wuVl6CT5LilE9Cp2+4I+UW2YIYAE=
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:CO1PR18MB4684.namprd18.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(1800799024)(376014)(366016)(8096899003)(13003099007)(38070700018);DIR:OUT;SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: Fz+06y5RwNNDh45h2Rt/d7JBlS178LdOsWrAqHJi3P2LDF7i9pXZJKO0TK40FyvnSX132gf0rzJGQExKx/SufB53j9KJQ9EaQHI8TSupzLBOVkTo/KJTbQbGJqzK2vfF5JN5WNrhwpgdDRpLuStwYvN8orUwvOVbDdHYB5N12zghAFSVM69wtJNkfZO5xzQin7D0dUbrh/Zw9xKIddSaKUJU54NC9J/vlQGjIQBcSfxd2PqeFkhL5bOkRWTHxc312tpc3ETxctMjSXaPka7ypLc0phZNI0agYZCNbXWjz+ttP/yz0KtgqS720FrDhZ8LzYHOjy65N2QtKsIqwY/tC5AOejipjU5QLdHOUaFqACgJPkvjlOxZtbLCYf3vM5Cc2Tp+ajuxOnnX+4+cs0sHqCvjhSPaghYvvmeWh/Fa/RtQJ6Pov+DS/yCTwmNWtCOa8Qt5XuKni/n9V62qW5wJKdTOtjDaKj5wYLfjAyDFPLPIJPPO2JkIW0NbPYhR4Po4oJF8GJbBXcN74V5b0Efq6vhtNJJn245Nli28vyDCJ4DBlU8UyI6hF4f5FuHCE/Hyj75O9WGgfXHeTFJMk6IjxdkAsCYC/YN9odF8Npl0AZ+/fHzNwXr9aneYyryiCHZxC+ujGqqWHzJLGXossiGPcZpwnw64L3mgmm4j7TE+nxJXWm06F9Te11HqGIly1KzPYM+0JwrovakpR+JClqdkYehEZ1x3g+Pick7uNV0hKCmaBiALMvXPFOrWgwBUOxmZGafsUtHhMbiCaJn6hJGxtAvEr51z7zP2KbskMT2pkcBAP2oXtBqTUVGrDvGE1icQV5atcmyA0qxC9ULqr4Yt1PvU2JF00vdr/Q7r+5col8FHrf7DIMwe7RpUX8gfsmKTDkBDYZmQU4xiCAcSSbag0VEVhD225xX244m1tmtFu6901qYQ/m1ipjD5xll6d5jQzVdiQPaYrfBBr71ejYleyKM+3tHnNmuBlZumWxLq0znyGkVn7s2K6w8og5PFuM9WhPVEJjMowvyb+O+B+jX5/uXjxl7Ma8k5f186iV9GcPyoDK4UuEtbgpb5rsZshQC/c+SFkwVWp10iuGFrGm93/sJeQpFwqAUVEbcJwoz+bI6ELmYef1qDNvRL5sieGreRXaF2ZhFaqaMGmPcZinyQCahabeLx2cH5wq/COlgw24ytMBDFnGLXWkonTWQphvVC/u4bewgr3inZ+PkHUPRoL6Y7BFPsLfDHu8tmVEW8q2hZwctfPdKVhhpIoJNc2rCsn1TmS/NZQ7za82QABWBCC+tgtYiqumoK1eG5QndfLzcfN0REH24R5DTwtLPb24LAnwEwChfCaehh6K89634DsTmBmihTQ3YjUnDwwvPrkq7RJbPAW0DwMzQoBn/gNzr77TTelHq9vfJ4F/f0bQfzzPY3LKC5mITxQfwMJF2ix9d/5rPTGte4eMFbg74xJY+Y+6zFLS3cr6S7cWIpiB2S+ux6yOozmhlZcbhtFAejBpWUPGg7qoBMUZ71u/Ry854TTSrM8M/quGe53TkiDEA8mY6z/xzYy+1K1fYqDNSz6z8=
Content-Type: multipart/alternative; boundary="_000_CO1PR18MB46844001C4CA2621182321BCD95CACO1PR18MB4684namp_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: CO1PR18MB4684.namprd18.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: b4cabf95-178f-4156-3e3c-08ddc940ed3c
X-MS-Exchange-CrossTenant-originalarrivaltime: 22 Jul 2025 16:58:05.1454 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5280104a-472d-4538-9ccf-1e1d0efe8b1b
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: /bHaXOqwJEtUg0V7zuTDF79cFZEDIh+kybV37ZUfbYflOU2HAytf9a0UjR7b8E1o5mUOy5u6+J4qq2Ow+WWKCQ==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: IA1PR18MB5472
X-OriginatorOrg: amazon.com
Message-ID-Hash: CDOBEPEHWOJ35JZDULF37LGNZRFMHMZN
X-Message-ID-Hash: CDOBEPEHWOJ35JZDULF37LGNZRFMHMZN
X-MailFrom: prvs=2911070ca=jeffsec@amazon.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-oauth.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "oauth@ietf.org" <oauth@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [OAUTH-WG] Review of draft-rosenberg-oauth-aauth-00
List-Id: OAUTH WG <oauth.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/eA3pjEcwalvOjEMqzr2Ww8lKUv4>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Owner: <mailto:oauth-owner@ietf.org>
List-Post: <mailto:oauth@ietf.org>
List-Subscribe: <mailto:oauth-join@ietf.org>
List-Unsubscribe: <mailto:oauth-leave@ietf.org>

[+ OAuth WG as this touches their core specs]

Thanks Jonathan and Pat for putting that forward.

Here are some comments / questions / suggestions:


  *   The use cases are very clear and are very good thought experiments to rubberstamp / challenge the models of delegated authorization we have build so far



  *   Unfortunately, the proposition seems to point towards a glorified Knowledge Based Authentication (KBA) as it will use PII validation to authenticate  as a form of "password" in a glorified Resource Owner Password Grant type flow as the request is only dealing with the Token endpoint... the problems are:
     *   Knowledge Based Authentication is highly insecure cause anyone that knowing this static information can impersonate someone else
     *   It is based on PII which are Identifiers and not Authentication factors, therefore can only allow to identify someone. On top of that, PII leak constantly and are no longer considered secure
        *   Also what would prevent the AI agent to fetch those information from the internet on behalf od the user as you noted into section 3.1. <https://datatracker.ietf.org/doc/html/draft-rosenberg-oauth-aauth#section-3.1> Basic Token Flow<https://datatracker.ietf.org/doc/html/draft-rosenberg-oauth-aauth#name-basic-token-flow>

By altering the required set of PII elements, designers of AI Agents can control the likelihood of hallucination (or malicious prompt injection attacks) resulting in a token issuance for the wrong user. The selection of the information becomes even more important for AI Agents. Usage of PII elements which are known publically becomes a real risk. If these are included in the training data for the LLM, it is indeed possible (and likely) that the LLM would hallucinate it. For example, if the patient in question is a famous actor, and their date of birth is public record in the IMDB, it is likely that the LLM would hallucinate the date of birth. Consequently, the Authorization Servers can be configured to require sufficient number and complexity of PII in order to provide the desired level of security.


        *   This hardly advocates for the PII to not flow through the AI cause thinking the AS will be smarter than the AI by configured to require sufficient number and complexity of PII in order to provide the desired level of security is a false expectation


     *   Resource Owner Password Grant flow is obsolete and deprecated see https://www.rfc-editor.org/rfc/rfc9700.html#name-resource-owner-password-cre



  *   Without consideration about the above points we are exchanging an AI Agent risk by a very secure AI Agent that could on very misleading / spoofable / malicious crafted information. I don't think this better.



  *   Have you evaluated Client Initiated Backchannel Authorization grant type flow [  https://openid.net/specs/openid-client-initiated-backchannel-authentication-core-1_0.html ] before designing this new specification?
     *   This would perfectly fit into the following specification statement in section 3.2. <https://datatracker.ietf.org/doc/html/draft-rosenberg-oauth-aauth#section-3.2> Human-In-The-Loop<https://datatracker.ietf.org/doc/html/draft-rosenberg-oauth-aauth#name-human-in-the-loop>

Initiate the consent review flow with the user. This spec does not specify how this occurs, it could be through an app, a chat client, or some other mechanism.

My 0.02 Canadian Dollars

Jeff

Jean-François "Jeff" Lombardo | Amazon Web Services

Architecte Principal de Solutions, Spécialiste de Sécurité
Principal Solution Architect, Security Specialist
Montréal, Canada
( +1 514 778 5565

Commentaires à propos de notre échange? Exprimez-vous ici<https://urldefense.com/v3/__https:/feedback.aws.amazon.com/?ea=jeffsec&fn=Jean*20Francois&ln=Lombardo__;JQ!!Pe07N362zA!0k9CkAV8Djpw_8EfIAKrbhP3TQrJr0oMnznlUgBJ3V3NoEk6hihx7dNHnQuejn6SSH2CP8Iow3G-tTzppHeg$>.

Thoughts on our interaction? Provide feedback here<https://urldefense.com/v3/__https:/feedback.aws.amazon.com/?ea=jeffsec&fn=Jean*20Francois&ln=Lombardo__;JQ!!Pe07N362zA!0k9CkAV8Djpw_8EfIAKrbhP3TQrJr0oMnznlUgBJ3V3NoEk6hihx7dNHnQuejn6SSH2CP8Iow3G-tTzppHeg$>.

v2.46.0 | Report a Bug | By Email | System Status